David writes:
For implementation of signature verification you can just take p and q
straight from the public key. You don't need to guess since the key
has all the information you need.
With signatures, it is the verifier more than the signer who is vulnerable
and who needs to be protected. The problem is that as the verifying
software it is my responsibility to provide some level of assurance to
the user about how strong this signature is.
Right now at best we only report the key size. I'd like to make sure that
q is as strong as p. Otherwise we might see a 4096 bit key with a 160 bit
q, so it is really no stronger than a 1024 bit key. It is hard to report
to the user how strong a signature by that key should be considered to be.
This problem goes away if we standardize on the q sizes that go with
certain p sizes. That's what I'd like to do. Any keys that break the
rules would be considered invalid. Maybe we don't have to just do the
FIPS ones but could extend them somewhat.
Hal